vault

Simple password generator. Given a passphrase and the name of a service, returns
a strong password for that service. You only need to remember your passphrase,
which you do not give to anyone, and this program will give a different password
for every service you use. The passphrase can be any text you like.

Given the same passphrase and service name, the program will generate the same
result every time, so you can use it to 'look up' those impossible-to-remember
passwords when you need them.

According to Dropbox's zxcvbn password strength measure,
if your dictionary English password takes about a second to crack, those
generated by vault take over a million times the age of the observable
universe to crack by brute force.

Finally, some sites do not allow passwords containing strings of repeated
characters beyond a certain length. For example, a site requiring passwords not
to contain more than two of the same character in a row would reject the
password ZOMG!!! because of the 3 ! characters. Vault lets you express this
requirement using -r or --repeat; this option sets the maximum number of
times the same character can appear in a row.

$ vault google -p -r 2

Using your private key

Instead of a simple passphrase, vault can use a value signed using your
private key as its input. Use the --key or -k option:

$ vault twitter -k
Which key would you like to use?
1: james@tesla, AAAAB3NzaC1y...+XRS6wsfyB7D
2: james@tesla, AAAAB3NzaC1y...B4vwPOArAIKb
Enter a number (1-2): 1
\vXY"xP}m7;,./eI{cz<

If you only have one private key, that is used automatically. If you have
several, a menu is displayed as above using snippets from the corresponding
public keys. You will be prompted to unlock the selected key if necessary.

Note that all the prompts shown to you while using vault are printed to
stderr and the generated password to stdout, so you can pipe vault to
pbcopy and you'll just get the password in your clipboard, i.e.:

$ vault twitter -k | pbcopy
Which key would you like to use?
# etc.

Saving your settings

If you like, you can store your passphrase on disk; vault will save it in a
file called .vault in your home directory.

The .vault file is encrypted with AES-256, using your username as the key by
default. You can set your own key using the VAULT_KEY environment variable.
You can also change the location of the file using the VAULT_PATH variable,
for example you might set VAULT_PATH=Dropbox/.vault to sync it using Dropbox.
If you do this, make sure any files containing the key are NOT also exposed to
third-party services.

If you're using your private key instead of a passphrase, you can save your
--key setting. The config file ends up storing the public key, not the private
key or any value derived from it. Next time you run vault, the public key is
used to find the corresponding private key from ssh-agent.

If you'd like to get a plain-text copy of the encrypted settings file, or import
a previously exported settings file, you can use the --export and --import
flags. --export writes the contents of the .vault file to the given path,
while --import reads the given file and stores it encrypted in your .vault
file. This can be used, for example, to change the encryption key:

Deleting saved settings

You can delete any saved setting using the --delete, --delete-globals and
--clear options. (--delete is aliased as lowercase -x and --clear as
uppercase -X.) --delete removes settings for an individual service,
--delete-globals removes your global settings and --clear deletes all saved
settings.

$ vault --delete twitter
This will delete your "twitter" settings. Are you sure? (Y/n): Y
$ vault --delete-globals
This will delete your global settings. Are you sure? (Y/n): Y
$ vault --clear
This will delete ALL your settings. Are you sure? (Y/n): Y

How does it work?

vault takes your passphrase and a service name and generates a hash from them
using PBKDF2. It then encodes the bits of
this hash using a 94-character alphabet, subject to the given character
constraints. This design means that each password is very hard to break by brute
force, and ensures that the discovery of one service's password does not lead to
other accounts being compromised. It also means you can tailor the output to the
character set accepted by each service. The use of a deterministic hash function
means we don't need to store your passwords since they can easily be regenerated;
this means there's no storage to sync or keep secure.

License

(The MIT License)

Copyright (c) 2011-2013 James Coglan

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the 'Software'), to deal in
the Software without restriction, including without limitation the rights to use,
copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the
Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.